RSRE  MEMORANDUM  ^^23 


UNLIMJTED 


it 


yi 


CO 

an 

C'i 

CD 

CM 

< 

i 

< 


RSRE 

MEMORANDUM  No.  4323 


ROYAL  SIGNALS  &  RADAR 
ESTABLISHMENT 


THE  KNUTH-BENDIX  COMPLETION  ALGORITHM 
AND  ITS  SPECIFICATION  IN  Z 

Author:  A  Smith 


PROCUREMENT  EXECUTIVE, 
MINISTRY  OF  DEFENCE, 
RSRE  MALVERN, 
WORCS. 


Ar';;irf'’rfld  lot 


90  01  02  0  &T 

UNLIMITED 


0058626 


CONOmONS  OF  RELEASE 


BR-1 12412 


COPYRIGHT  (c) 
1988 

CONTROLLER 
HUSO  LONDON 


. . .  Y 

Reports  quoted  are  not  necessarily  available  lo  meinbeis  ol  the  public  or  to  commercial 
organisations. 


OCAFCOOE  090996 


ROYAL  SIGNALS  AND  RADAR  ESTABLISHMENT 


Memorandum  4323 


Title:  The  Knuth-Bendix  completion  algorithm  and  its  specification  in  Z 

Author:  A.  Smith 
Date:  September  1989 


Summary 


Proving  that  something  is  a  consequence  of  a  set  of  axioms  can  be  very  difficult  The 
Knuth-Bendix  completion  algorithm  attempts  to  automate  this  process  when  the 
axioms  are  equations.  The  algorithm  is  bound  up  in  the  area  of  term  rewriting,  and  so 
this  memorandum  contains  an  introduction  to  the  theory  of  term  rewriting,  followed 
by  an  overview  of  the  algorithm.  Finally  a  formal  specification  of  the  algorithm  is 
given  using  the  language  Z 


\ 


Copyright 
. —  ©  .■ — 
Controller  HMSO  London 
1989 


CONTENTS 


1.  Introduction . 

2.  Termination  of  rewrite  rules . 

3.  An  overview  of  the  Knuth-Bendix  algorithm . . 

3.1  New  rules . 

3.2  Simplifying  the  set  of  rules . 

3.3  Some  points  about  the  algorithm . 

4.  A  specification  of  the  Knuth-Bendix  algorithm  in  Z 

4.1  Terms . 

4.2  Subterms . 

4.3  Substitutions . 

4.4  Terminating  rewrite  system . 

4.5  Normal  form . 

4.6  Unification . 

4.7  Critical  pairs . 

4.8  Simplifying  the  set  of  rules . 

4.9  The  algorithm . 

5.  Conclusions . 

References . 


1 

4 

7 

7 

10 

11 

12 

12 

13 

16 

17 

18 
19 
21 


23 

24 

25 


axis 

DTIC 

Unann 

Justl 

ORAM  BT 

tAB  □ 

jUDoad  □ 

DlatrlDaXlon/ 

ivallabtllty  Codas 

Dial 

r' 

Avail 

Spaa 

ud/or 

lal 

1.  Introduction 


When  carrying  out  a  formal  proof,  the  need  frequently  arises  to  cany  out 
substitutions,  for  example,  of  a  construct  for  its  definition.  If  what  is  substituted  in  a 
theorem  is  simpler  than  the  term  being  substituted,  the  theorem  can  be  simplified, 
and  in  many  cases  proved.  This  process  of  substitution  is  called  term  rewriting,  and  the 
Knuth-Bendix  completion  algorithm  is  concerned  with  the  mechanical  application  of 
rewrite  rules  as  an  aid  to  automatic  proof. 

Any  set  of  equalities  may  be  used  to  provide  die  rewrite  rules,  for  example  the  set  E  of 
equations 


e$x  =  X  (equation  1) 

(imx}$x  =  e  (equation  2) 

(x$y)$2  =  x$(y$z)  (equations) 

define  a  group.  Here,  c  is  a  constant  (the  identity  element  of  the  group),  inv  is  a  function 
which  finds  the  inverse  of  any  element  x,  and  ^  is  an  infix  operator  which  composes 
two  elements  of  the  group. 

These  equations  may  be  turned  into  a  set  of  rewrite  rules,  R 

e$x  — >  X  (rule  1) 

(inv  x)$x  — >  e  (rule  2) 

(x$y)$  2  — >  x$(y$  2)  (rule  3) 

which  may  be  used  from  left  to  right  and  never  the  other  way.  This  imponant  point  is 
the  distinction  between  an  equation  and  a  rewrite  rule;  an  equation  can  be  used  in 
either  direction,  whereas  a  rewrite  rule  can  only  be  used  from  left  to  right.  Clearly  if 
rewrite  rules  are  to  be  applied  automatically,  we  would  not  want  both  directions  of 
the  original  equations  to  represented  as  rewrite  rules,  since  this  could  cause  the 
computer  to  loop. 

For  example,  from  equation  2,  we  have  (inv  x)  Sx  =  e  and  e  =  (inv  x)  $  x  but  from 
rule  2,  we  only  have  (inv  x)$x  — >  e,  which  reads  (inv  x)$x  rewrites  to  e. 

The  variables  of  the  rules,  x,  y,  and  z,  can  be  substituted  with  any  well  formed 
expressions  made  fiom  e,  x,  y,  z,  inv  and  $.  Such  expressions  are  called  terms. 

For  example,  from  rule  3  (e$z)S  (x$x) — >  eS(zS(xS  x)),  where  the  term  e  has  been 
substituted  for  the  variable  x  of  the  rule,  the  term  z  for  y ,  and  the  term  x  S  x  for  z. 

Rewrite  rules  are  widely  used  in  computing,  since  rewriting  is  an  ideal  task  for  a 
computer.  Manipulating  equations  could  lead  to  a  computer  "looping",  since  it  could 
use  an  equation  one  way,  then  the  other,  and  so  on.  Careful  choice  of  rewrite  rules 
can  overcome  this  problem. 


1 


The  use  of  rewrite  rules  instead  of  equations  can  cause  a  loss  of  power.  This  may  be 
illustrated  by  considering  the  analysis  tool  MALPAS[1,  5]  which  has  an  automatic 
term  rewriting  engine.  This  tool  can  be  used  to  formally  verify  existing  software.  In 
MALPAS,  rewrite  rules  are  called  replacement  rules,  and  the  three  group  theory 
rules  would  be  introduced  as  follows: 

TYPE  group: 

FUNCTION  inv  (group) :  group; 

INFIX  $  (group,  group) :  group; 

CONST  e :  group; 

REPLACE (x :  group)  e$x  BY  x; 

REPLACE  (X :  group)  (inv  x)$x  BY  e; 

REPLACE  (x,  y,  2  :  group)  (x$y)$2  BY  x$(y$  z); 

MALPAS  has  an  algebraic  simplirier  which  carries  out  term  rewriting  in  an  attempt 
to  simplify  expressions.  For  example,  for  the  expression 

(x$e)$y  =  e$(x$y)  (expression  1) 

the  simplifier  will  yield  the  expression  true  since  both  sides  can  be  rewritten  10  x  $  y. 
This  is  because  the  LHS  can  firstly  be  rewritten  to  the  term  x$(e$y)  using  rule  3,  and 
then  this  term  can  be  rewritten  to  the  term  x$y  using  rule  1  on  the  subterm  e  $y.  The 
RHS  of  expression  1  can  be  rewritten  directly  to  the  term  x$y  using  rule  1. 

Now  suppose  the  simplifier  is  called  to  simplify  the  expression 

(invx)S(xSe)  =  eSe  (expression  2) 

Since  no  rule  can  be  applied  to  the  LHS  (such  a  term  is  called  irreducible  with  respect 
to  the  rules),  and  only  rule  1  can  be  applied  to  the  RHS,  the  expression 
(invx)  $(xSe)  =  e  will  be  produced.  However,  using  the  original  equations,  £,  namely 

eSx  =  X  (equation  1) 

(invx)$x  =  e  (equation  2) 

(xjyllz  =  x$(y$z)  (equations) 


we  have 


(invx)$(x$e) 

*  ((invx)Sx)$e  (using  equation  3) 
»  eSe  (using equation 2) 

and  thus  expression  2  should  really  simplify  to  true. 


2 


This  loss  of  power  that  results  from  using  rewrite  rules  instead  of  equations  can 
sometimes  be  recovered  using  the  Knufb-Bendix  completion  algorithm  [3,4].  Suppose 
a  set  of  equations  E  is  turned  into  a  set  of  rules  /{,  as  in  the  example,  then  the 
algorithm  uJces  R  and  produces  a  new  set  of  rules  R'  such  that  t  =  u  ,  where  t  and  u  are 
terms,  is  a  consequence  of  £  precisely  when  both  t  and  u  can  be  rewritten  to  the  same 
term  using  R’.  This  rewriting  of  /  and  u  is  carried  out  as  far  as  possible,  using  the  rules 
in  any  order,  and  the  terms  that  result  are  known  as  the  normal  form  of  r  and  u  with 
respect  to  R";  denoted  t  iR’  and  u  <1 R'.  Any  term  is  guaranteed  to  have  a  unique 
normal  form  with  respect  to  R\  which  is  not  necessarily  the  case  with  respect  to  £. 

As  an  example,  Knuth-Bendix  completion  on  the  three  group  theory  rules,  R,  gives  the 
ten  rules  R"  as  below. 


e$x  — >  X 

(1) 

inve  — e 

(6) 

(inv  x)$x  — >  e 

(2) 

inv(invx)  — >  x 

(7) 

(x$y)$2  — >  x$(y$i) 

(3) 

x$(invx)  — >  e 

(8) 

(invx)  $(x$y)  — >  y 

(4) 

x$<(invx)$y)  — >  y 

(9) 

x$e  — >  X 

(5) 

inv(x  $  y)  — >  (inv  y)  $  (inv  x) 

(10) 

With  these  rules,  troublesome  expressions  such  as  expression  2,  namely 
(inv  X)  S  (X  S  e)  =  e  S  e,  simplify  to  true  since  (invx)$(x$e)  I  R'  =  e  and 
e$e  i  R'  ^  e. 

The  algorithm  can  also  be  said  to  automate  deduction,  by  making  it  automatic  in 
deciding  whether  a  given  expression  should  simplify  to  true  with  respect  to  the  original 
equations,  £.  This  can  be  illustrated  by  considering  another  troublesome  expression 
with  respect  to  R,  namely 


e$x  =  x$e  (expression  3) 

With  respect  to  R,  this  expression  simplifies  to  x  =  xSe.  But  with  respect  to  £ 


2 

e$x 

(inv(inv  x)  $  (invx))  $  x 

(using  equation  2) 

= 

inv(inv  x)  S  ((inv  x)  $  x) 

(  " 

"  3) 

«5 

inv(invx}  $  e 

(  " 

"  2) 

C 

inv(invx)$(e$e) 

(  " 

"  1) 

= 

{nv(inv  x)  $  (((inv  x)$x)$  e) 

(  " 

"  2) 

(inv(inv  x)  S  ((inv  x)  $x))$e 

(  " 

"  3) 

« 

((inv(inv  x)  $  (inv  x))  $x)$e 

(  " 

"  3) 

s 

(e$x)$e 

(  ” 

■■  2) 

= 

x$e 

(  •’ 

"  1) 

and  so  expression  3  should  really  simplify  to  true,  and  indeed  it  does  with  respect  to  R’. 
The  above  proof  using  the  equations  is  by  no  means  obvious  (nine  steps  !)  and  really 
highlights  the  advantage  of  generating  R\  since  expression  3  then  simplifies  to  true  by 
the  automatic  application  of  these  rules. 


3 


2.  Termination  of  rewrite  rules 

A  bad  set  of  rewrite  rules  can  still  cause  the  computer  to  loop.  Consider  the  rule 
X  ®  y  — >  y  ®  X  (rule  A) 

Since  any  terms  can  be  substituted  for  the  variables  of  a  rule  then 
y ®x  — >  x®y 
giving  the  infinite  rewrite  sequence 

X  ®  y  — >  y  ®  X  — >  X  ®  y  — >  .... 

So  any  set  of  rewrite  rules  containing  rule  A  could  cause  the  computer  to  loop. 

A  set  of  rules  supplied  to  the  Knuth-Bendix  algorithm  must  not  cause  this  problem. 
A  set  of  mles  that  do  not  cause  this  problem  is  called  terminating  [2].  To  show 
termination  of  a  set  of  rules  R,  there  must  exist  an  ordering  »,  on  terms,  which  is 

1.  transitive 

t»UAU»v  ^  t»v  for  all  terms  f,  u,  and  v 

2.  irreflexive 

-I  (f »  I)  for  all  terms  r 

3.  closed  with  respect  to  substitution 
t»u  ^  S(t,  a)  »  S(u,  a) 

for  all  terms  r  and  u,  and  substitutions  o  of  the  variables  for  terms 
(5(r,  <j)  denotes  the  term  r  after  the  substitution  o  has  been  carried  out) 

4.  monotonic 

t»u  =»  f( ..  ,t, .. )  »f( ..  ,u. .. ) 

(Both  t  and  u  form  the  n'^  argument  for/ for  some  n) 
for  all  terms  r,  u,  all  functions /,  and  all  n  €  7  ..  deg  f 

5.  well  founded 

there  are  no  infinite  (strictly  descending)  sequences  of  terms 
t»u»v»w» .... 

and  that  / »  r  for  each  rule  /  — >  r  in  /?. 


4 


With  a  terminating  set  of  rules  R,  the  successive  application  of  rules  to  any  term  t,  in  any 
order,  will  eventually  produce  an  irreducible  term. 

Property  1  is  needed  to  ensure  that  as  rules  are  applied  one  after  another,  the  terms 
get  consistently  smaller.  Without  property  2,  there  could  be  the  iuHnite  sequence 
t  — >  r  — >  t  — ....  for  some  term  r.  Property  3  is  needed  because  a  rule  is  used 
in  its  substituted  form.  For  example,  from  the  rule  e$x — >x  then 
e  $  (inv  y)  — inv  y  can  be  obtained,  and  so  it  is  not  good  enough  to  know  that 
e$x»x\  it  must  also  be  the  case  that  e$(imy) » invy.  Property  4  is  needed 
because  subterms  can  be  rewritten.  For  example  as  inv(e  $  x)  — >  inv  x  by  using  the 
rule  e%x  — >  x  on  the  subterm  e  jx  of  inv{e  5  xi,  it  is  not  good  enough  to  know  that 
e%x»x\  it  must  also  be  the  case  that  inv(eSx}  » invx.  Property  5  is  needed  to 
ensure  that  as  a  term  is  rewrinen  to  smaller  and  smaller  terms,  the  rewriting  must 
eventually  stop. 

Such  an  ordering  »,  is  input  into  the  Knuth-Bendix  algorithm  along  with  the  set  of 
rules.  This  ordering  not  only  ensures  termination  of  the  existing  rules,  but  is  needed 
in  forming  new  rules  as  described  in  section  3.1. 

The  original  three  group  theory  rules  fcnm  a  terminating  set  of  rules.  This  can  be 
shown  using  the  Knuth-Bendix  Ordering  (KBO)  as  described  in  their  original 
paper[4].  In  general  it  considers  a  simpler  term  to  be  smaller  than  a  complicated 
term.  Essentially  it  regards  the  complexity  of  a  term  to  be  the  number  of  symbols 
appearing  in  the  term,  but  it  also  weights  the  function  symbols  (in  the  literature, 
constants  are  regarded  as  functions  which  take  no  arguments,  and  so  these  too  are 
given  a  weight).  It  is  also  necessary  to  label  each  function  in  the  form/^.  What  follows  is 
the  result  of  letting/;  =  e  have  weight  I./2  =  S  have  weight  0,  and =  inv  have  weight 
0. 

The  weight  w(t),  of  a  term  r,  is  then  the  number  of  occurrences  of  variables  in  r  plus  the 
number  of  occurrences  of  e  in  t.  For  example  the  weight  of  the  term 
(x  $y)  $  inv(e  $  x)  is  4.  Let  n(v,  t)  be  the  number  of  occurrences  of  the  variable  v  in  the 
term  r.  For  example  n(  x,  (ySx)$x}  =  2. 


5 


^  I  ■ 


The  ordering  »  on  the  terms,  is  then  defined  as  follows: 
t»u  if  and  only  if 

either  ( w(t)  >  w(u)  and  n(v,  t)  k  n(v,  u)  for  all  variables  v  ) 
or  ( w(t)  =  \v(u)  and  n(v,  t)  =  n(v,  u)  for  all  variables  v  and 

either  r  =  inv’"  v  and  u  =  v  for  some  m  2  1  and  variable  v 
or  r  =  inv  p  and  u  =  e 

or  r  =  im p  and  u  =  q$r 

or  t  =  p$qsind  u  =  r  $  s  and  p*  r  md  p»r 

or  t  =  p$q  and  u=p$r  and  q*r  and  q»r 

or  r  =  inv  p  and  u  =  inv  q  and  p*q  and  p»  q) 
where  p,  q,  r  and  s  are  terms 

It  can  be  shown  that  the  above  ordering  satisfies  the  5  conditions  required,  so  now 
just  the  rules  themselves  need  to  be  checked  that  they  obey  » . 

rule  1  e$x  — >  x 

w(LHS)  >  w(RHS)  and  n(x.LHS)  =  n(x,RHS).  So  LHS  »  RHS  by  O  1 . 
rule  2  (inv  x)$x  — >  e 

w(LHS)  >  w(RHS)  and  n(x.  LHS)  >  n(x,  RHS).  So  LHS  »  RHS  by  O  1 . 
rule  3  (x$y)$z  — >  x$(y$z) 

w(LH3)  =  w(RHS)  and  n(v,  LHS)  ~  n(v,  RHS)  for  v  =  j:,  y  and  z,  so  O  2  holds. 
Also  O  2.4  holds  with  p  =  x$y  and  r  =  x,  since  p»r  by  O  1 . 

So  LHS»RHS  by02and02.4. 


(Ol) 
(0  2) 
(02.1) 
(02.2) 
(02.3) 
(0  2.4) 
(0  2.5) 
(0  2.6) 


6 


3.  An  overview  of  the  Knuth*Bendix  algorithm 

Using  the  original  set  of  rewrite  rules  for  a  group,  it  was  not  possible  to  establish  the 
equality  of  (inv  x)  $  (x  $  e)  and  e  $  e.  This  was  because  the  inteiinediate  term 
((inv  x)  $  x)  $  e  could  not  be  derived  using  the  rewrite  rules,  because  it  would  have 
involved  using  rule  3  backwards.  There  was  no  problem  when  the  original  equations 
were  used  since  equations  can  be  used  in  either  direction.  This  directionality 
problem  is  illustrated  in  figure  1. 


3.1  New  rules 

The  Knuth-Bendix  completion  algorithm  replaces  all  these  problem  "peaks"  as  in 
Hgure  1  with  "troughs"  as  in  figure  3  by  int^ucing  new  rules.  Figure  3  shows  how 
with  a  new  rule 


(inv  x)  $(x$  y)  — >  y  (rule  4) 

in  addition  to  the  other  rules,  both  (inv x)  S(x  Sc)  and  e$e  can  be  rewritten  to  the 
same  term  e,  and  thus  be  shown  equal  using  rewrite  rules. 

The  problem  therefore  is  to  derive  the  new  rules.  Figure  1  shows  how  the  peak  term 
was  rewritten  using  two  different  rules;  rules  2  and  3.  Rule  3  was  used  on  the  whole 
term  while  rule  2  was  used  on  just  the  subterm  (inv  x)  $  x.  Knuth  and  Bendix  found  that 
this  was  characteristic  of  all  problem  peaks;  that  two  different  rules  are  used  to 
rewrite  the  term;  one  on  the  whole  term,  the  other  on  a  subterm. 

They  realised  that  these  peak  terms  could  be  generated  automatically  by 
superimposing  the  LHS  of  one  rule  onto  a  subterm  of  the  LHS  of  another  (provided 
this  subterm  is  not  simply  a  variable).  It  is  then  guaranteed  that  the  whole  term  can 
be  rewritten  with  one  rule  and  a  subterm  with  another.  The  two  resulting  terms, 
known  as  a  critical  pair,  are,  if  possible,  made  into  a  new  rule,  thus  removing  the 
need  for  a  problem  peak. 

As  an  example,  rule  4  will  be  constructed  horn  rules  2  and  3.  Figure  2  shows  the 
generation  of  a  critical  pair,  q> j  and  c/tj’  ^  Notice  how  figure  2  is  a 

general  version  of  figure  1,  with  the  peak  of  figure  2  using  the  variable  z  with  that  of 
figure  1  using  the  constant  e.  The  general  case  is  considered  because  then  other 
problem  peaks  of  a  similar  form  will  be  covered  by  this  general  case.  Thus 
general  unification  [6]  is  used  to  superimpose  one  rule  onto  another. 


7 


8 


This  process  of  superposition  and  genera]  unification  is  best  explained  by  continuing 
the  example  which  involves  rules  2  and  3. 


(invx)Sx — >e  (rule!) 

(x$y)  $2  — >  xS(yS  2)  (rule  3) 

The  variable  x  in  rule  3  is  changed  to  w 

(invx)$x — >e  (rule  2) 

(w$y}$  2  — w$(y$  2)  (rule  3) 


so  that  the  rules  have  no  common  variable.  This  in  no  way  changes  the  meaning  of  a 
rule  since  the  variables  of  a  rule  are  local  to  that  rule  and  so  may  be  changed. 

We  want  to  superimpose  the  LHS  of  rule  2  onto  the  subterm  w  5  y  of  the  LHS  of  rule  3. 
So  general  unification  is  carried  out  on  the  terms  (inv  x)  $  x  and  w  $  y.  This  means 
finding  the  most  general  substitution  of  the  variables  for  terms  that  will  make  both 
terms  the  same.  In  this  case  it  is  the  substitution 

{  w  invx,yy*x  } 

where  w  B  invx  means  replace  w  by  invx.  This  substitution  transforms  both  terms  to 

(invxjJx  (term  1) 

Also  it  is  the  most  general  substitution  in  the  sense  that  for  any  other  substitution 
which  makes  the  two  terms  the  same,  say  { at  e,  w  H  inv  e,yy^e},  then  the  term  that 
this  gives,  (inv  e)  $  e,  can  be  obtained  from  term  1  by  means  of  another  substitution, 
{  X  »  e  }.  The  process  of  general  unification  can  be  carried  out  automatically  using 
the  general  unification  algorithm  [6]. 

Having  obtained  a  critical  pair,  each  is  rewritten  to  its  normal  form  with  respect  to 
the  current  set  of  rules.  In  the  case  of  the  critical  pair  of  figure  2,  this  means  with 
respect  to  rules  1, 2  and  3,  obtaining  the  terms 

(invx)$(x$2)  and  z  (A) 

If  these  terms  are  different,  as  in  this  case,  they  are  made  into  a  new  rule  making  sure 
that  it  obeys  the  ordering  »  that  was  input  into  the  algorithm.  With  the  KBO 
described  in  the  last  section,  it  turns  out  that  (inv  x)$(x  $2)  »  z  and  so  the  new  rule 
is 


(invx)$(x$2)  — >  z 


9 


Thus  rule  4  has  been  derived  since  z  can  be  changed  for  y.  The  current  set  of  rules  is 
thus 


e$x  — >  X  (rule  1) 

(invx)$x  — >  «  (rule  2) 

(x$y)$z —>  x$(y$z)  (rule3) 

(inv  x)S(xS  y)  — >  y  (nile  4) 


If,  for  some  other  two  rules,  the  terms  at  stage  (A)  above  are  the  same,  then  no  new 
rule  is  made  and  the  new  rule  process  is  started  again  with  another  two  rules.  Also  if 
ever  the  terms  at  stage  (A)  cannot  be  ordered  under  »  then  the  whole  algorithm 
fails.  If  for  all  rules  and  all  possible  superpositions  the  terms  at  stage  (A)  are  the 
same,  then  the  algorithm  terminates  successfully  with  the  current  set  of  rules. 


3.2  Simplifying  the  set  of  rules 

Each  time  a  new  rule  is  generated,  the  entire  new  set  of  rules  is  checked  to  ensure 
that  each  rule  is  made  up  only  of  irreducible  terms  with  respect  to  the  other  rules. 
For  example,  this  is  true  of  the  new  set  of  four  rules,  since  for  any  rule  neither  side 
can  be  reduced  with  respect  to  the  other  rules. 

But  this  is  not  always  the  case.  If  there  is  a  rule  where  either  (or  both)  sides  can  be 
reduced  with  respect  to  the  other  rules,  then  one  of  the  following  can  occur: 

(1)  If  the  normal  forms  (with  respect  to  the  other  rules)  of  each  side  are  equal  then 
the  rule  is  removed,  and  the  simplification  process  is  started  again  with  the  new 
set  of  rules.  So  rules  can  disappear  as  well  as  being  created  ! 

(2)  If  the  normal  forms  (with  respect  to  the  other  rules)  of  each  side  are  not  equal 
then  the  rule  is  replaced  by  a  new  rule  made  from  these  normal  forms,  provided 
they  can  be  ordered  under  ».  The  simplification  process  is  started  again  with 
the  new  set  of  rules. 

(3)  If  in  (2),  the  normal  forms  can  not  be  ordered  under  » then  the  whole  algorithm  fails. 

When  all  the  rules  consist  only  of  irreducible  terms  with  respect  to  the  other  rules, 
then  the  simplification  has  finished  and  another  new  rule  is  generated  from  this 
latest  set,  as  in  the  last  section,  and  so  on. 


10 


As  an  example  of  the  simplification  process,  the  example  of  the  last  section  will  be 
continued.  The  current  set  of  four  rules  do  not  need  simplifying,  and  this  continues  to 
be  the  case  until  rule  7  has  been  generated. 


e$x  — >  X 

(rule  1) 

(invx)  Sx  — >  e 

(rule  2) 

(x$y)$  2  — >  x$(y$z) 

(rule  3) 

(invx)$(x$y)  — >  y 

(rule  4) 

(inv(inv  x))  $  e  — x 

(rule  5) 

(inve)$x  — >  x 

(rule  6) 

(inv(invx))$y  — x$y 

(rule  7) 

Now  rule  S  can  be  simplified  with  respect  to  the  other  rules,  since  the  LHS  of  rule  5 
can  be  rewritten  using  rule  7  to  yield  ^e  expression  x  j e.  It  turns  out  that x$e»x 
and  so  rule  5  is  simplified  toxSe  — x,  and  the  set  of  rules  becomes 


e$x  — >  X 

(rule  1) 

(inv  x)$x  — e 

(rule  2) 

(x$y)$2  — >  x$(y$  2) 

(rule  3) 

(invx)$(x$y)  — >  y 

(rule  4) 

x$e  — >  X 

(rule  5) 

(inv  e)$x  — >  x 

(rule  6) 

(inv(invx))$y  — >  x5y 

(rule  7) 

3.3  Some  points  about  the  algorithm 

(1) For  a  finite  set  of  rules,  the  complete  set  could  be  infinite  and  so  the  algorithm 
will  never  terminate  (unless  it  fails  because  of  »). 

(2)  The  algorithm  is  very  dependent  on  the  ordering  ».  For  the  same  set  of  rules,  the 
algorithm  can  succeed  with  one  mdering,  and  not  with  another. 

(3)  As  described  in  section  2,  the  algorithm  cannot  handle  rules  of  the  form 
x9y  — >  y9x,  since  any  rewrite  system  that  contains  such  a  rule  will  not  be 
terminating.  Another  example  is  the  rule  x  (g>  (y  z)  — y  @  fx  (g)  z>.  Rules  of  this 
form  are  known  as  permutative  rules,  because  one  side  can  be  obtained  from  the 
other  by  a  simple  permutation  of  the  variables.  There  are  ways  of  dealing  with 
some  of  these  rules,  with  different  techniques  needed  for  different  situations. 
These  techniques  ate  beyond  the  scope  of  this  repon,  which  concerns  itself  only 
with  the  original  Knuth-Bendix  algorithm  as  describ^  in  [4]. 


11 


4.  A  specification  of  the  Knuth*Bendix  completion  algorithm  in  Z 

Throughout  the  specification,  examples  from  the  original  three  group  theory  rules 
will  be  given. 

e$x  — >  X  (rule  1) 

(invx)Sx — >e  (rule  2) 

(xSyjSz  — >  x$(y$z)  (rule3) 

4.1  Terms 

The  set  of  variables  VAR  must  include  not  only  the  variables  contained  in  the  initial 
set  of  rewrite  rules,  but  all  the  extra  variables  needed  during  the  construction  of  new 
rules.  For  example,  the  rules  above  use  the  variables  x,  y  and  z  and  so  these  are  in  VAR. 
Also,  when  constructing  rule  4  the  variable  w  was  used  (see  section  3.1)  and  so  w  must 
be  in  VAR.  Other  variables  are  used  during  the  construction  of  the  other  rules  and  so 
these  too  must  be  in  VAR. 

[VAR] 

The  set  of  functions  F  together  with  the  variables  make  up  the  set  of  terms.  Any 
constants  are  regarded  as  functions  which  take  no  arguments.  For  example, 
F  =  {e,  im,  $  }. 

[F] 

The  degree  of  each  function  is  the  number  of  arguments  it  takes.  For  example,  deg  e  =  0, 
deg  inv  =  1  and  deg  S  =  2. 

deg  :F->0i 

The  set  of  terms  are  constructed  from  VAR  and  F.  For  example,  z  $  (inv  x)  is  in  TERM. 
[TERM] 

CONSTANT  ==  V  F 1  degf  =  0} 

_  Constructed  term  ^ 

\f:F 
s :  seqjTERM 


Ms  =  degf 


TERM  ::=  conViCONSTANTh  \  varMVARSt  |  constructV.Constructedjerm'M 


12 


4.2  Subterms 


Any  term  r  can  be  represented  by  a  tree  structure.  Also  the  points  on  its  tree  structure 
can  be  labelled  with  sequences  of  numbers.  Fot  any  term  r,  siAterm  r  is  a  function  which 
associates  each  sequence  with  the  subterm  from  that  point  For  example,  if  t  is  the  term 
(invy)  $(y$  (invx))  as  in  figure  4  then  subterm  t  is  the  fiinction 

im  y,  <2) »  y  i  (invx),  (IJ)  **  y,  {2.7>  »  y.  (2.2)  t*  im  x,  (22,1)  x  } 

■  =1 

subterm  :  TERM  (seq  W  TERM) 


V  t :  TERM  • 

1 1  ran  construct  subterm  t=  {0 

t  e  ran  construct  ^ 
subterm  t=  {0  f} 

0{  n  :domsj  •  {p :  dom  (subterm  (Sj  n))  •  (n)  ~  pr*  subterm  (sjn)p)) 
where 

Sj  ==  (construcr^  t).s 


The  function  replace  replaces  a  subterm  of  a  tenn  with  another  teitn.  replaced,  u,  p)  is 
the  result  of  replacing  the  subterm  of  r  from  the  point  p  with  the  term  u.  For  example  if 
r  is  the  tenn  (inv  y)S(yS  (inv  x))  as  in  figure  4,  p  is  the  the  point  (2,2)  and  u  is  the  term 
e$2  then  replace(t,  u,  p)  is  the  term  {itny)  %{y%{e%  z)). 


replace :  (TERM  x  TERM  x  seq  W;  -+♦  TERM 
replace  =Xt,u:  TERM;  p :  seq  IN  |  p  e  dom(subterm  t) » 
p  V ;  TERM  | 

(t  e  ran  con  av  =  u) 

V 

(t  €  ran  var  av=  u) 

V 

(t  €  ran  construct  ap  =  (}av=u) 

V 

f€  ran  construct 
P*0 

V  e  ran  construct 

f2=fj 

S2  =  Si®  {hdp^  replace(s  j(hd  p),  u,  tl  p)  } 
where 

f]==  (construcr*^  t).f 
Sy  ==  (construcr^  l).5 
/j  ==  (construcr^  v).f 
==  (construcr^  v).s 

•  V 


4J  Substitutions 


A  substitution  is  any  function  from  variables  to  terms,  for  example  zv^e}. 

SUBSTITUTION  ==  ran  var  -H  TERM 


The  function  5  actually  performs  a  substitution  on  a  term.  Given  a  term  t  and 
substitution  a,  S(t,  a)  is  Ae  result  of  carrying  out  o  on  t.  For  any  variable  v  in  the 
domain  of  o,  all  occurrences  of  v  in  i  are  repaced  by  a(v}.  Also  the  substimtion  of  all 
the  variables  in  the  domain  of  o  that  appear  in  t,  are  carried  out  simultaneously.  For 
example,  if  r  is  the  term  fy  S  yj  S  x  and  o  is  the  substitution  {xt^yje,  y^»x}  then 
S(t,  a)  is  the  term  (x$x}$(y$  e). 

===— =  -■='=  -  -  -  =:rr 

S :  (TERM  x  SUBSTITUTION)  ->  TERM 
S=kt:  TERM;  a  :  SUBSTITUTION  • 

(I  u :  TERM  1 
(t  e  ran  con  a  u  s  f) 

V 

({ e  ran  var  /\te  dom  o  a  u  «  a  t) 

V 

(t  e  ran  var  a  i «  dom  o  a  u  » t) 

V 

t  e  ran  construct 
u€  ran  construct 

f2^fl 

V  n  .•  dom  Jj  •  J2  ® 
where 

fj  s=  (construcf^  t)/ 

Sj  *=  (construct-*  t)j 
/j  (construct^  u)f 
S2  --  (construcr*  u).s 

•  u 

- - - —  — 


16 


4.4  Terminating  rewrite  system 

As  described  in  section  2,  to  show  teraiination  of  a  set  of  rewrite  rules  there  must  be 
an  ordering  »  on  terms  which  satisfies  rive  conditions.  It  must  then  be  shown  that 
the  rules  themselves  obey  » .  Below  are  these  five  conditions,  with  the  definition  of 
a  terminating  rewrite  system  afterwards. 

I  »  ;  TERM  <-»  TERM 


V  t,u,v :  TERM  •  t»  uau»v  t»v 

V  t :  TERM  *-t(t»  t) 

t,u:  TERM;  o  .•  SUBSTITUTION  •t»u  =»  S(t,  a)  »  S(u,  a) 
'Vt.u:  TERM  • 

t»u  ^  (V  v,w  :  ran  construct;  n :  IN  | 

(construcr^  vJ/=  (construcr*^  w).f 
ne  dom  (construcr^  v).s 
(construcr^  n  =  t 
(construcr^  w)j  n  =  u 
•  v»w) 


V  t :  TERM  •  3  n  .•  IN  •  f «  dom  ( (_» ) 


Given  a  set  of  terms  and  an  ordering  »  on  terms,  then  a  rule  is  any  pair  of  terms,  and 
a  teiminating  rewrite  system  is  any  set  of  rules  that  obey  >>. 

RULE  ==  (TERM  x  TERM) 

TERMINATING_REWRITE_SYSTEM  ==  IP  {  rule :  RULE  \  (fst  rule)  » (snd  rule) } 


17 


4.5  Normal  form 


Given  a  terminating  rewrite  system/?,  then  a  term  /  rewrites  to  another  termu,  in  one 
step,  if  and  only  if  there  is  a  rule  in  R  that  rewrites  a  subterm  of  r  (possibly  t  itself),  so 
that  t  becomes  u.  If  this  is  the  case  then  t  (—>  R)  u  .  For  example,  if  /?  is  the  original  set 
of  three  group  theory  rules  then  (e  $y)  $<e  $  x)  rewrites  in  one  step  to  either  y${t$x) 
at{e$y)$xfxe%{y%{e%x)). 

->  3=  Xtrs:TERMINATlNG_REWRrrE_SYSTEM> 

{  f,  M  .•  TERM  1 3  rule :  trs;  p :  dom(subterm  t):  a  :  SUBSTITUTION  • 

^  subterm  t  p  =  S<fst  rule,  a) 

u  =  replace(  t,  S(snd  rule,  o),  p ) 

1 

I  } 

Given  a  term  t  and  a  terminating  set  of  rules  R,  then  r  i  /?  is  the  normal  form  of  t  with 
respect  to  R  and  is  obtained  by  applying  rules  from  R,tot,  one  after  another  until  no 
more  apply.  In  general  the  normal  form  is  not  unique.  For  example,  if  R  is  the  original 
set  of  three  group  theory  rules  then  the  normal  form  of  ((inv  x)  $  x)  $  e  is  either  e  or 
(invx)S(x$e). 

'  4.  =  =  X  rrs  .•  TERMINATING JREWRITEJYSTEM  • 

I  {t.u:  TERM  | 

t  e  dom(">  trs)=^  ut  dom(->  trs)  a  (t,  u)  e  ((-->  trs)*) 

1 1  dom(">  trs)  ^  u-t 

} 


1 

I 

I 

I 

\ 

I 

» 

t 

) 

! 


18 


4.6  Unification 


The  function  v  gives  the  variables  tiiat  appear  in  a  term.  For  example  if  r  is  the  term 
(x$y)$(x$  e)  then  v(t)  is  the  set  {x,  y}. 

V  ==  X.  f ;  TERM  •  {  x ;  ran  var  1 3  p :  dom(subterm  t)  •  subterm  tp=x) 


Given  two  terms  t  and  u,  a  substitution  o  is  a  nx>st  general  unifier  of  t  and  u  if  it  makes 
t  and  u  the  same  and  is  most  general  as  described  in  section  3.1.  The  most  general 
unifier  of  two  terms  is  not  unique;  for  example  the  two  terms  x  and  y  have  most  general 
unifier  {x  **  >}  or  {y  »  x}. 

=  -----  -  ..  .  i.| 

mgu  :  (TERM  x  TERM)  SVBSJnVTION 


TERM;  a  :  SUBSTITUTION  • 
mgu((t,  u),  a) 
v(t)  n  \/(u)  =  {} 

a  e  uni^ 

V  1 :  unify  >3  p:  SUBSTITUTION  •  S(  S(t.  a),  p)  =  S(t,  x) 
where 

unify  ==  {  t .-  SUBSTITUTION  IfV  x  :  dom  t  •  x  «  vft  x>  a  S(t,  x)  =  S(u,  x))  } 


When  mgu  is  used,  during  the  generation  of  critical  pairs,  we  need  to  make  sure  that 
the  two  rules  have  no  common  variable.  For  example,  in  section  3.1,  when  a  critical 
pair  of  rules  2  and  3  was  being  formed,  rules  2  and  3  were  transformed  from 
(inv  x)  $  X  — >  e  and  (x  $  y)  $  2  — >  x  $  (y  $  z)  to  (inv  x)  $  x  — >  e  and 
(w$y)$z  — >  w$(y$  2). 

—  '-q 

varj:hange :  (RULE  x  RULE)  (RULE  x  RULE) 


V  rulej,  rule2,  rj,  Tj  .•  RULE  • 

var_change(  (rulCj,  ru/cjj,  (rj,  Tj)  ) 

(v(fstrj)uv(sndrj))  n  (\/(fsi  r2)  U  v(snd r2))  =  {} 
3  o,  X  ;  ran  var  >f»  ran  var  • 
dom  a  =  v(fst  rulej)  u  v(snd  rulej) 

dom  X  =  \(fst  rule2)  u  v(snd  rjdcj) 

S(fst  rulej,  a)  =f St  rj 
S(snd  rulej,  a)  =  snd  rj 
S(fst  rule2,  'i)=fst 
S(snd  rutej,  1)  =  snd 


20 


4.7  Critical  pairs 

As  described  in  section  3.1,  critical  pairs  are  used  in  the  generation  of  new  rules.  In 
the  schema  below,  cpj  and  cp2  are  a  critical  pair.  The  actual  formation  of  new  rules 
occurs  in  the  function  knuth_bendix  in  section  4.9. 

Critical _pair _ i 

trs :  TERMINATING JiEWRrrEJYSTEM 
cp ],  cp2  ••  TERM 

3  ndcj,  rule2  :  trs;  rj,  rj  ;  RULE;  p :  seq  W;  o  ;  SUBSTITUTION  • 

var_change(  (ruUj,  rule2),  (rj,  r2>  ) 
p  e  dom  ( subterm  (fstr^)) 
subterm  (fstrj)  pi  ranvar 
mgu(  ( subterm  (fst  r  j)  p,  fst  r2  ),  a  ) 
cpj  =  S(sndrj,a) 

cp2  =  replace(  S(fstrj,<s),  S(sndr2,a),  p  ) 


4.8  Simplifying  the  set  of  rules 


The  function  simplify  conesponds  to  the  simplification  of  the  set  of  rules  as  described 
in  section  3.2.  Failure  has  been  handled  by  outputting  the  empty  set  of  rules.  The 
result  of  simplify  is  a  set  of  rules  where  each  rule  consists  only  of  irreducible  terms 
with  respect  to  the  other  rules. 

1  simplify  :  TERMINATING JtEWRlTE  SYSTEM  -»  TERMINATING JiEWRJTEJYSTEM 


V  trsj  :  TERMINATING_REWRITE_SYSTEM» 


trS]  =  {}  A  simplify  trsj  =  trsj 

V 


(  V  rule  :  trSj  • 

fst  rule  e  dome  -'>(trs j\{rule}) ) 
snd  rule  «  dom(  ->(trsj\{rule}} ) 

) 

A  simplify  trsj  =  trsj 


V 


( 3  rule  :  trsj  • 

V  *  fst  rule  s/  w*  snd  rule 

V  =  w  =>  simplify  trs  j  =  simplify  trsj 

V  >>  w  =>  sirripiify  trSj  =  simplify  ftrsj  u  {fv,  w)}) 
w  >>  V  simplify  trs j  =  simplify  (trS2  *-<  {(w,  v)}) 
-,(v  =  w  V  v>>H'  V  w»v )  ^  simplify  trsj  =  {} 

where 

V,  w ;  TERM 

trs2 :  TERMINATING JiEWRITEJYSTEM 

trs2  =  trsi\{rule) 

(fst  rule,  v;  €  i  trs2 
(snd  rule,  w)€  i  trS2 


22 


4.9  The  algorithm 

The  function  kruuhjbendix  generates  a  complete  set  of  rules  as  descnb^  in  the 
introduction.  It  docs  this  recursively  by  generating  new  rules  from  critical  pairs, 
simplifying  the  set  of  rules  and  so  on.  Once  again,  failure  has  been  handled  by 
outputting  the  empty  set  of  rules. 

I  kmuhjendix :  TERMINATING  REWRTTEJYSTEM  -» 

TERMINATING _REWR1TEJYSTEM 


V  trsj  :  TERMINATING JiEWRTTEJYSTEM  • 


rrr;  =  {}  A  knuth_bendix  trsj  =  trsj 


V 


( V  Critical _pair  |  trs  =  trSj» 
t  =  u 
where 

t,  u :  TERM 

(cpj.t)  e  i  trSj 
(CP2,  u)e  i  trSj 

) 

A  knuthjjendix  trsj  =  trSj 


V 


( 3  Critical jtair  \  trs  =  trs 
t*u 

t»u  knuth  bendix trsj  =  knuthjbendix ( simplify (trsj'^{(t,u)))) 
u»t  knuthjbendix  trsj  -  knuthjbendix  ( simplify  (trs  j  u  {(u,  t)}) ) 
-i(  t»  u  V  u»  t)  =>  knuthj?endix  trsj=  {} 
where 

t,  u :  TERM 

(cpj,  Oe  i  trsj 
(cp2,  u)e  i  trs j 


23 


5.  Conclusions 


Rewrite  rules  are  widely  used  in  computing  since  rewriting  is  an  ideal  task  for  a 
computer,  and  also  manipulation  of  equations  could  cause  a  computer  to  loop,  since 
it  could  use  an  equation  one  way  and  then  the  other  and  so  on.  Careful  choice  of 
rewrite  rules  can  overcome  this  problem  since  they  can  only  be  used  in  one 
direction. 

Simply  converting  equations  into  rewrite  rules  by  replacing  the  "equals"  sign  by  a 
"rewrite"  sign  can  cause  a  loss  of  power,  with  expressions  that  sin^lify  to  true  using  the 
equations,  not  simplifying  to  true  using  the  rewrite  rules.  This  report  illustrates  this 
point  using  the  MALPAS  system  which  contains  an  algebraic  simplifier  which  in 
turn  contains  a  term  rewriting  engine. 

The  user  could  try  manually  to  add  extra  rules  to  compensate  for  this  loss  of  power 
but  runs  the  risk  of  adding  inconsistencies  and  non-termination,  and  even  then  not 
being  sure  that  all  the  power  had  been  recovered.  The  Knuth-Bendix  completion 
algorithm  can,  for  certain  sets  of  rewrite  rules,  recover  this  power  automatically 
without  running  these  risks.  If  the  algorithm  terminates  successfully  then  it  is 
guaranteed  that  the  new  set  of  rules  it  produces  is  terminating,  does  not  contain 
inconsistencies,  and  recovers  all  the  power  lost. 

The  algorithm  can  also  be  said  to  automate  deduction,  by  making  it  automatic  in 
deciding  whether  a  given  expression  should  simplify  to  true  with  respect  to  the  original 
equations.  In  the  MALPAS  system,  the  algorithm  would  m^e  the  algebraic 
simplifier  more  powerful. 


24 


References 


1.  B.  D.  Bramson  'Tools  for  the  Specification,  Design,  Analysis  and  Verification  of 
software".  RSRE  report  number  87005  (1987) 

2.  N.  Dershowitz  'Termination  of  Rewriting" 

pp  69  - 1 15  in  Journal  of  Symbolic  Computation,  Vol  3  (1987) 

3.  A.  J.  J.  Dick  "Automated  Equational  Reasoning  and  the  Knuth>Bendix  Algorithm:  An 
Informal  Introduction" 

Rutherford  Appleton  Laboratory  report  number  RAL-88-043  (1988) 

4.  D.E.  Knuth  and  P.B.  Bendix  "Simple  Word  Problems  in  Universal  Algebras" 

pp  263  -  297  in  Computational  Problems  in  Abstract  Algebra,  ed  J.  Leech,  Pergamon 
press  (1970) 

5.  MALPAS  Intermediate  Language  (Version  4.0).  Rex,  Thompson  and  partners  (1987) 

6.  J.  A.  Robinson  "A  Machine-Oriented  Logic  Based  on  the  Resolution  Principle" 

pp  23  -  41  in  Journal  of  the  Association  for  (Computing  Machinery,  Vol  12,  No  1  (1965) 

7.  C.  T.  Sennett  "Review  of  Type  Checking  and  Scope  Rules  of  the  Specification 
Language  Z".  RSRE  report  number  87017  (1987) 

8.  J.  M.  Spivey  "The  Z  Notation:  A  Reference  Manual" 

Prentice-Hdl  International,  Series  in  Computing  Science  (1988) 


25 


\ 


OOCUNCIT  CONTROL  SHEET 


Ov»r»n  stcurHy  tlissifiotlon  <s1  . . . . ?.? . 

(As  far  as  possible  Ibis  sbaef  should  confaio  only  unclasstflad  Inforaation.  If  ii  is  nacassary  lo  enter 
classified  inforaalion,  (he  boi  concerned  aus(  be  aarked  to  Indicate  (he  classification  ag  (R)  (C)  or  (S)  ) 


1.  ORIC  Reference  (if  knoun)  2.  Originator's  Refarence  3.  Agency  Reference  4.  Report  Security 

Memo  k323  U/C  Classification 


S.  Originator's  Code  (if  6.  Originator  (Corporate  Author)  Naoe  and  location 
knoun)  ROYAL  SIGNALS  &  RADAR  ESTABLISHMENT 
T78IIOOO  ST  ANDREWS  ROAD,  GREAT  MALVERN, 

WORCESTERSHIRE  WRiA  3PS 


5a.  Sponsoring  Agency's  Be.  Sponsoring  Agency  (Contract  Authority)  Naae  and  Location 

Code  (if  knoun) 


THE  KNUTH  -  BENDIX  COMPLETION  ALGORITHM  AND  ITS  SPECIFICATION  IN  Z. 


7a.  Title  in  Foreign  language  (in  the  case  of  translations) 


7b.  Presented  at  (for  conference  nepers)  Title,  place  and  date  of  conference 


8.  Author  1  Surnaae.  initials  9(a)  Author  2 

Smith  A 


11.  Contract  Ruaber 


9(b)  Authors  3.4. 


13,  Pro)ect 


10.  Date  PP.  ref. 
9.1989  23 


U.  Other  Reference 


15.  Distribution  stpteuent 

UNLIMITED 

Descriptors  (or  keyuords) 

cpntinut  on  sppirpto  piict  of  PWtr 

Proving  that  something  Is  a  consequence  of  a  set  of  axioms  can  be  very 
difficult.  The  Knuth-Bendlx  completion  algorithm  attempts  to  automate  this 
process  when  the  axioms  are  equations.  The  algorithm  Is  bound  up  In  the  area 
of  term  rewriting,  and  so  this  memorandum  contains  an  introduction  to  the  theorj 
of  term  rewriting,  followed  by  an  overview  of  the  algorithm.  Finally  a  formal 
specification  of  the  algorithm  is  given  using  the  language  Z  [7,8]. 


